From 4dfb2e31d2a21158d2f07486f269cf468082607b Mon Sep 17 00:00:00 2001 From: "quentin@aristote.fr" Date: Sat, 1 Apr 2023 15:08:14 +0200 Subject: networking: modularize --- config/networking/default.nix | 87 ++++++--------------- config/networking/hostapd.nix | 138 --------------------------------- config/networking/nat.nix | 21 +++++ config/networking/services/ap.nix | 138 +++++++++++++++++++++++++++++++++ config/networking/services/default.nix | 5 ++ config/networking/services/dhcp.nix | 18 +++++ config/networking/services/dns.nix | 18 +++++ 7 files changed, 225 insertions(+), 200 deletions(-) delete mode 100644 config/networking/hostapd.nix create mode 100644 config/networking/nat.nix create mode 100644 config/networking/services/ap.nix create mode 100644 config/networking/services/default.nix create mode 100644 config/networking/services/dhcp.nix create mode 100644 config/networking/services/dns.nix diff --git a/config/networking/default.nix b/config/networking/default.nix index 330ba3b..aa6a829 100644 --- a/config/networking/default.nix +++ b/config/networking/default.nix @@ -3,24 +3,24 @@ { config, lib, pkgs, secrets, ... }: let - ifaces = config.personal.networking.interfaces; - publicSubnet = "192.168.1"; - privateSubnet = "192.168.2"; + cfg = config.personal.networking; in { - imports = [ ./hostapd.nix ]; + imports = [ ./nat.nix ./services ]; options.personal.networking = { - interfaces = let - makeInterfaceOption = type: - lib.mkOption { - type = lib.types.str; - description = "Network device for the ${type} interface."; - example = "enp4s0"; - }; - in { - eth = makeInterfaceOption "ethernet"; - wlp2ghz = makeInterfaceOption "2 GHz WiFi"; - wlp5ghz = makeInterfaceOption "5 GHz WiFi"; + interfaces = lib.mkOption { + type = with lib.types; attrsOf str; + description = "Reusable names for network devices."; + example = { + eth = "enp4s0"; + }; + }; + subnets = lib.mkOption { + type = with lib.types; attrsOf str; + description = "Reusable names for subnets."; + example = { + private = "192.168.1"; + }; }; }; @@ -33,6 +33,10 @@ in { wlp2ghz = "wlp5s0"; wlp5ghz = "wlp1s0"; }; + subnets = { + public = "192.168.1"; + private = "192.168.2"; + }; }; networking = { @@ -40,66 +44,25 @@ in { domain = "local"; defaultGateway = { - address = "${publicSubnet}.1"; - interface = ifaces.eth; + address = "${cfg.subnets.public}.1"; + interface = cfg.interfaces.eth; }; dhcpcd.enable = false; interfaces = { - "${ifaces.eth}" = { + "${cfg.interfaces.eth}" = { ipv4.addresses = [{ - address = "${publicSubnet}.2"; + address = "${cfg.subnets.public}.2"; prefixLength = 24; }]; }; - "${ifaces.wlp5ghz}" = { + "${cfg.interfaces.wlp5ghz}" = { ipv4.addresses = [{ - address = "${privateSubnet}.1"; + address = "${cfg.subnets.private}.1"; prefixLength = 24; }]; }; }; - - nat = { - enable = true; - externalInterface = ifaces.eth; - internalInterfaces = [ - # ifaces.wlp2ghz - ifaces.wlp5ghz - ]; - }; - - firewall.interfaces."${ifaces.wlp5ghz}" = { - allowedTCPPorts = [ 53 ]; - allowedUDPPorts = [ 53 ]; - }; - }; - - services.dhcpd4 = { - enable = true; - extraConfig = '' - option subnet-mask 255.255.255.0; - option routers ${privateSubnet}.1; - option domain-name-servers ${privateSubnet}.1, 9.9.9.9; - subnet ${privateSubnet}.0 netmask 255.255.255.0 { - range ${privateSubnet}.10 ${privateSubnet}.99; - } - ''; - interfaces = [ ifaces.wlp5ghz ]; - }; - - services.unbound = { - enable = true; - settings = { - server = { - interface = [ "127.0.0.1" "${privateSubnet}.1" ]; - access-control = [ - "0.0.0.0/0 refuse" - "127.0.0.0/8 allow" - "${privateSubnet}.0/24 allow" - ]; - }; - }; }; }; } diff --git a/config/networking/hostapd.nix b/config/networking/hostapd.nix deleted file mode 100644 index f5f399b..0000000 --- a/config/networking/hostapd.nix +++ /dev/null @@ -1,138 +0,0 @@ -{ config, lib, utils, pkgs, secrets, ... }: - -let - cfg = config.services.hostapd; - makeHostapdConf = { name, interface ? cfg.interface, driver ? cfg.driver, ssid - , hwMode ? cfg.hwMode, channel ? cfg.channel, countryCode ? cfg.countryCode - , passphrase ? secrets.wifi."${name}".passphrase, logLevel ? cfg.logLevel - , extraConfig ? "" }: - builtins.toFile "hostapd.${name}.conf" ('' - interface=${interface} - driver=${driver} - - # IEEE 802.11 - ssid=${ssid} - hw_mode=${hwMode} - channel=${toString channel} - max_num_sta=128 - auth_algs=1 - disassoc_low_ack=1 - - # DFS - ieee80211h=1 - ieee80211d=1 - country_code=${countryCode} - - - # WPA/IEEE 802.11i - wpa=2 - wpa_key_mgmt=WPA-PSK - wpa_passphrase=${passphrase} - wpa_pairwise=CCMP - - # hostapd event logger configuration - logger_syslog=-1 - logger_syslog_level=${toString logLevel} - logger_stdout=-1 - logger_stdout_level=${toString logLevel} - - # WMM - wmm_enabled=1 - uapsd_advertisement_enabled=1 - wmm_ac_bk_cwmin=4 - wmm_ac_bk_cwmax=10 - wmm_ac_bk_aifs=7 - wmm_ac_bk_txop_limit=0 - wmm_ac_bk_acm=0 - wmm_ac_be_aifs=3 - wmm_ac_be_cwmin=4 - wmm_ac_be_cwmax=10 - wmm_ac_be_txop_limit=0 - wmm_ac_be_acm=0 - wmm_ac_vi_aifs=2 - wmm_ac_vi_cwmin=3 - wmm_ac_vi_cwmax=4 - wmm_ac_vi_txop_limit=94 - wmm_ac_vi_acm=0 - wmm_ac_vo_aifs=2 - wmm_ac_vo_cwmin=2 - wmm_ac_vo_cwmax=3 - wmm_ac_vo_txop_limit=47 - wmm_ac_vo_acm=0 - - # TX queue parameters - tx_queue_data3_aifs=7 - tx_queue_data3_cwmin=15 - tx_queue_data3_cwmax=1023 - tx_queue_data3_burst=0 - tx_queue_data2_aifs=3 - tx_queue_data2_cwmin=15 - tx_queue_data2_cwmax=63 - tx_queue_data2_burst=0 - tx_queue_data1_aifs=1 - tx_queue_data1_cwmin=7 - tx_queue_data1_cwmax=15 - tx_queue_data1_burst=3.0 - tx_queue_data0_aifs=1 - tx_queue_data0_cwmin=3 - tx_queue_data0_cwmax=7 - tx_queue_data0_burst=1.5 - '' + extraConfig); - hostapd2ghzConf = makeHostapdConf { - name = "2ghz"; - interface = config.personal.networking.interfaces.wlp2ghz; - ssid = "Quentinternet of Things"; - hwMode = "g"; - channel = 0; - extraConfig = '' - # IEEE 802.11n - ieee80211n=1 - require_ht=1 - ht_capab=[HT40+][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40] - ''; - }; - hostapd5ghzConf = makeHostapdConf { - name = "5ghz"; - interface = config.personal.networking.interfaces.wlp5ghz; - ssid = "Quentintranet"; - hwMode = "a"; - channel = 36; - extraConfig = '' - # IEEE 802.11n - ieee80211n=1 - require_ht=1 - ht_capab=[HT40+][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40] - - # IEEE 802.11ac - require_vht=1 - ieee80211ac=1 - vht_oper_chwidth=1 - vht_oper_centr_freq_seg0_idx=42 - vht_capab=[MAX-MPDU-11454][RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][MAX-A-MPDU-LEN-EXP7][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN] - ''; - }; -in { - services.hostapd = { - enable = true; - driver = "nl80211"; - countryCode = "FR"; - }; - - systemd.services.hostapd = let - interfaces = with config.personal.networking.interfaces; [ - wlp2ghz - wlp5ghz - ]; - netDevices = builtins.map (interface: - "sys-subsystem-net-devices-${utils.escapeSystemdPath interface}.device") - interfaces; - networkLinkServices = - builtins.map (interface: "network-link-${interface}.service") interfaces; - in { - serviceConfig.ExecStart = lib.mkForce - "${pkgs.hostapd}/bin/hostapd ${hostapd2ghzConf} ${hostapd5ghzConf}"; - after = lib.mkForce netDevices; - bindsTo = lib.mkForce netDevices; - requiredBy = lib.mkForce networkLinkServices; - }; -} diff --git a/config/networking/nat.nix b/config/networking/nat.nix new file mode 100644 index 0000000..33e8ca7 --- /dev/null +++ b/config/networking/nat.nix @@ -0,0 +1,21 @@ +{ config, ... }: + +let cfg = config.personal.networking; +in { + boot.kernel.sysctl = { + "net.ipv4.conf.all.forwarding" = true; + }; + + networking = { + nat = { + enable = true; + externalInterface = cfg.interfaces.eth; + internalInterfaces = [ + # cfg.interfaces.wlp2ghz + cfg.interfaces.wlp5ghz + ]; + }; + + firewall.enable = false; + }; +} diff --git a/config/networking/services/ap.nix b/config/networking/services/ap.nix new file mode 100644 index 0000000..f5f399b --- /dev/null +++ b/config/networking/services/ap.nix @@ -0,0 +1,138 @@ +{ config, lib, utils, pkgs, secrets, ... }: + +let + cfg = config.services.hostapd; + makeHostapdConf = { name, interface ? cfg.interface, driver ? cfg.driver, ssid + , hwMode ? cfg.hwMode, channel ? cfg.channel, countryCode ? cfg.countryCode + , passphrase ? secrets.wifi."${name}".passphrase, logLevel ? cfg.logLevel + , extraConfig ? "" }: + builtins.toFile "hostapd.${name}.conf" ('' + interface=${interface} + driver=${driver} + + # IEEE 802.11 + ssid=${ssid} + hw_mode=${hwMode} + channel=${toString channel} + max_num_sta=128 + auth_algs=1 + disassoc_low_ack=1 + + # DFS + ieee80211h=1 + ieee80211d=1 + country_code=${countryCode} + + + # WPA/IEEE 802.11i + wpa=2 + wpa_key_mgmt=WPA-PSK + wpa_passphrase=${passphrase} + wpa_pairwise=CCMP + + # hostapd event logger configuration + logger_syslog=-1 + logger_syslog_level=${toString logLevel} + logger_stdout=-1 + logger_stdout_level=${toString logLevel} + + # WMM + wmm_enabled=1 + uapsd_advertisement_enabled=1 + wmm_ac_bk_cwmin=4 + wmm_ac_bk_cwmax=10 + wmm_ac_bk_aifs=7 + wmm_ac_bk_txop_limit=0 + wmm_ac_bk_acm=0 + wmm_ac_be_aifs=3 + wmm_ac_be_cwmin=4 + wmm_ac_be_cwmax=10 + wmm_ac_be_txop_limit=0 + wmm_ac_be_acm=0 + wmm_ac_vi_aifs=2 + wmm_ac_vi_cwmin=3 + wmm_ac_vi_cwmax=4 + wmm_ac_vi_txop_limit=94 + wmm_ac_vi_acm=0 + wmm_ac_vo_aifs=2 + wmm_ac_vo_cwmin=2 + wmm_ac_vo_cwmax=3 + wmm_ac_vo_txop_limit=47 + wmm_ac_vo_acm=0 + + # TX queue parameters + tx_queue_data3_aifs=7 + tx_queue_data3_cwmin=15 + tx_queue_data3_cwmax=1023 + tx_queue_data3_burst=0 + tx_queue_data2_aifs=3 + tx_queue_data2_cwmin=15 + tx_queue_data2_cwmax=63 + tx_queue_data2_burst=0 + tx_queue_data1_aifs=1 + tx_queue_data1_cwmin=7 + tx_queue_data1_cwmax=15 + tx_queue_data1_burst=3.0 + tx_queue_data0_aifs=1 + tx_queue_data0_cwmin=3 + tx_queue_data0_cwmax=7 + tx_queue_data0_burst=1.5 + '' + extraConfig); + hostapd2ghzConf = makeHostapdConf { + name = "2ghz"; + interface = config.personal.networking.interfaces.wlp2ghz; + ssid = "Quentinternet of Things"; + hwMode = "g"; + channel = 0; + extraConfig = '' + # IEEE 802.11n + ieee80211n=1 + require_ht=1 + ht_capab=[HT40+][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40] + ''; + }; + hostapd5ghzConf = makeHostapdConf { + name = "5ghz"; + interface = config.personal.networking.interfaces.wlp5ghz; + ssid = "Quentintranet"; + hwMode = "a"; + channel = 36; + extraConfig = '' + # IEEE 802.11n + ieee80211n=1 + require_ht=1 + ht_capab=[HT40+][LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][DSSS_CCK-40] + + # IEEE 802.11ac + require_vht=1 + ieee80211ac=1 + vht_oper_chwidth=1 + vht_oper_centr_freq_seg0_idx=42 + vht_capab=[MAX-MPDU-11454][RXLDPC][SHORT-GI-80][TX-STBC-2BY1][RX-STBC-1][MAX-A-MPDU-LEN-EXP7][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN] + ''; + }; +in { + services.hostapd = { + enable = true; + driver = "nl80211"; + countryCode = "FR"; + }; + + systemd.services.hostapd = let + interfaces = with config.personal.networking.interfaces; [ + wlp2ghz + wlp5ghz + ]; + netDevices = builtins.map (interface: + "sys-subsystem-net-devices-${utils.escapeSystemdPath interface}.device") + interfaces; + networkLinkServices = + builtins.map (interface: "network-link-${interface}.service") interfaces; + in { + serviceConfig.ExecStart = lib.mkForce + "${pkgs.hostapd}/bin/hostapd ${hostapd2ghzConf} ${hostapd5ghzConf}"; + after = lib.mkForce netDevices; + bindsTo = lib.mkForce netDevices; + requiredBy = lib.mkForce networkLinkServices; + }; +} diff --git a/config/networking/services/default.nix b/config/networking/services/default.nix new file mode 100644 index 0000000..ffc56cf --- /dev/null +++ b/config/networking/services/default.nix @@ -0,0 +1,5 @@ +{ ... }: + +{ + imports = [ ./dhcp.nix ./dns.nix ./ap.nix ]; +} diff --git a/config/networking/services/dhcp.nix b/config/networking/services/dhcp.nix new file mode 100644 index 0000000..f4b1f61 --- /dev/null +++ b/config/networking/services/dhcp.nix @@ -0,0 +1,18 @@ +{ config, ... }: + +let cfg = config.personal.networking; +in { + services.dhcpd4 = { + enable = true; + extraConfig = '' + option subnet-mask 255.255.255.0; + option routers ${cfg.subnets.private}.1; + option domain-name-servers ${cfg.subnets.public}.1, 9.9.9.9; + subnet ${cfg.subnets.private}.0 netmask 255.255.255.0 { + range ${cfg.subnets.private}.10 ${cfg.subnets.private}.99; + } + ''; + interfaces = [ cfg.interfaces.wlp5ghz ]; + }; + +} diff --git a/config/networking/services/dns.nix b/config/networking/services/dns.nix new file mode 100644 index 0000000..beed1e7 --- /dev/null +++ b/config/networking/services/dns.nix @@ -0,0 +1,18 @@ +{ config, ... }: + +let cfg = config.personal.networking; +in { + services.unbound = { + enable = true; + settings = { + server = { + interface = [ "127.0.0.1" "${cfg.subnets.private}.1" ]; + access-control = [ + "0.0.0.0/0 refuse" + "127.0.0.0/8 allow" + "${cfg.subnets.private}.0/24 allow" + ]; + }; + }; + }; +} -- cgit v1.2.3